cristianpb · April 11, 2022 17:32
diff --git a/provider.yml b/provider.yml
 http:
  services:
    snapcast:
      loadBalancer:
        servers:
          - url: "http://192.168.12.142:1780/"
    mopidy:
      loadBalancer:
        servers:
          - url: "http://192.168.12.142:6680/"
    raspicam:
      loadBalancer:
        servers:
          - url: "http://192.168.12.94:80/"
  routers:
    snapcast:
      rule: "Path(`/jsonrpc`)"
      service: "snapcast"
      entryPoints: ["websocket-snapcast"]
    mopidy:
      rule: "Host(`jetson.local`) || Host(`192.168.43.54`) || Host(`192.168.12.1`)"
      service: "mopidy"
      entryPoints: ["web", "websocket-mopidy"]
    mopidy-secure:
      rule: "Host(`jetson.local`) || Host(`192.168.43.54`) || Host(`192.168.12.1`)"
      service: "mopidy"
      #"traefik.http.routers.app-secure.tls.options=foo"
      tls:
        options: "foo"
      #"traefik.http.routers.app-secure.entryPoints=web-secure"
      #entryPoints: "web-secure"
    raspicam:
      rule: "(Host(`jetson.local`) || Host(`192.168.43.54`) || Host(`192.168.12.1`)) && PathPrefix(`/raspicam`)"
      #rule: "PathPrefix(`/raspicam`)"
      #rule: "Host(`cam.jetson.local`)"
      service: "raspicam"
      middlewares:
        - "raspicam-replace"
  middlewares:
    raspicam-replace:
      replacePathRegex:
        regex: "^/(.*)"
        replacement: "/raspicam/$1"

 #tls:
 #  certificates:
 #    - certFile: /home/nano/traefik/jetson.cert
 #      keyFile: /home/nano/traefik/jetson.key
diff --git a/traefik.service b/traefik.service
 [Unit]
 Description=traefik proxy
 After=network-online.target
 Wants=network-online.target systemd-networkd-wait-online.service

 [Service]
 Restart=on-abnormal

 ; User and group the process will run as.
 User=traefik
 Group=traefik

 ; Always set "-root" to something safe in case it gets forgotten in the traefikfile.
 ExecStart=/usr/local/bin/traefik --configfile=/etc/traefik/traefik.yml

 ; Limit the number of file descriptors; see `man systemd.exec` for more limit settings.
 LimitNOFILE=1048576

 ; Use private /tmp and /var/tmp, which are discarded after traefik stops.
 PrivateTmp=true
 ; Use a minimal /dev (May bring additional security if switched to 'true', but it may not work on Raspberry Pi's or other devices, so it has been disabled in this dist.)
 PrivateDevices=false
 ; Hide /home, /root, and /run/user. Nobody will steal your SSH-keys.
 ProtectHome=true
 ; Make /usr, /boot, /etc and possibly some more folders read-only.
 ProtectSystem=full
 ; … except /etc/ssl/traefik, because we want Letsencrypt-certificates there.
 ;   This merely retains r/w access rights, it does not add any new. Must still be writable on the host!
 ReadWriteDirectories=/etc/traefik/acme

 ; The following additional security directives only work with systemd v229 or later.
 ; They further restrict privileges that can be gained by traefik. Uncomment if you like.
 ; Note that you may have to add capabilities required by any plugins in use.
 CapabilityBoundingSet=CAP_NET_BIND_SERVICE
 AmbientCapabilities=CAP_NET_BIND_SERVICE
 NoNewPrivileges=true

 [Install]
 WantedBy=multi-user.target
diff --git a/traefik.yml b/traefik.yml
 # Don't send external data
 global:
  checkNewVersion: false
  sendAnonymousUsage: false

 # Enable Traefik API at entrypoint 8080
 api:
  insecure: true
  dashboard: true
  # Debug api for profilng
  debug: true 
  
 # Log level, debug to have explicit logs
 log:
  level: debug

 # File to get acces log
 accessLog:
  filePath: /var/log/traefik/access.log

 # Tell Traefik where to find services
 providers:
  file:
    watch: false
    filename: /etc/traefik/provider.yml

 # Define which ports Traefik should be listening to
 entryPoints:
  web:
    address: ":80"
  web-secure:
    address: ":443"
  websocket-mopidy:
    address: ":6680"
    proxyProtocol:
      insecure: true
  websocket-snapcast:
    address: ":1780"
    proxyProtocol:
      insecure: true

 # Encryption method
 tls:
  options:
    foo:
      minVersion: VersionTLS12
      cipherSuites:
        - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
        - TLS_RSA_WITH_AES_256_GCM_SHA384
	http:
	services:
	snapcast:
	loadBalancer:
	servers:
	- url: "http://192.168.12.142:1780/"
	mopidy:
	loadBalancer:
	servers:
	- url: "http://192.168.12.142:6680/"
	raspicam:
	loadBalancer:
	servers:
	- url: "http://192.168.12.94:80/"
	routers:
	snapcast:
	rule: "Path(`/jsonrpc`)"
	service: "snapcast"
	entryPoints: ["websocket-snapcast"]
	mopidy:
	rule: "Host(`jetson.local`) \|\| Host(`192.168.43.54`) \|\| Host(`192.168.12.1`)"
	service: "mopidy"
	entryPoints: ["web", "websocket-mopidy"]
	mopidy-secure:
	rule: "Host(`jetson.local`) \|\| Host(`192.168.43.54`) \|\| Host(`192.168.12.1`)"
	service: "mopidy"
	#"traefik.http.routers.app-secure.tls.options=foo"
	tls:
	options: "foo"
	#"traefik.http.routers.app-secure.entryPoints=web-secure"
	#entryPoints: "web-secure"
	raspicam:
	rule: "(Host(`jetson.local`) \|\| Host(`192.168.43.54`) \|\| Host(`192.168.12.1`)) && PathPrefix(`/raspicam`)"
	#rule: "PathPrefix(`/raspicam`)"
	#rule: "Host(`cam.jetson.local`)"
	service: "raspicam"
	middlewares:
	- "raspicam-replace"
	middlewares:
	raspicam-replace:
	replacePathRegex:
	regex: "^/(.*)"
	replacement: "/raspicam/$1"

	#tls:
	# certificates:
	# - certFile: /home/nano/traefik/jetson.cert
	# keyFile: /home/nano/traefik/jetson.key
	[Unit]
	Description=traefik proxy
	After=network-online.target
	Wants=network-online.target systemd-networkd-wait-online.service

	[Service]
	Restart=on-abnormal

	; User and group the process will run as.
	User=traefik
	Group=traefik

	; Always set "-root" to something safe in case it gets forgotten in the traefikfile.
	ExecStart=/usr/local/bin/traefik --configfile=/etc/traefik/traefik.yml

	; Limit the number of file descriptors; see `man systemd.exec` for more limit settings.
	LimitNOFILE=1048576

	; Use private /tmp and /var/tmp, which are discarded after traefik stops.
	PrivateTmp=true
	; Use a minimal /dev (May bring additional security if switched to 'true', but it may not work on Raspberry Pi's or other devices, so it has been disabled in this dist.)
	PrivateDevices=false
	; Hide /home, /root, and /run/user. Nobody will steal your SSH-keys.
	ProtectHome=true
	; Make /usr, /boot, /etc and possibly some more folders read-only.
	ProtectSystem=full
	; … except /etc/ssl/traefik, because we want Letsencrypt-certificates there.
	; This merely retains r/w access rights, it does not add any new. Must still be writable on the host!
	ReadWriteDirectories=/etc/traefik/acme

	; The following additional security directives only work with systemd v229 or later.
	; They further restrict privileges that can be gained by traefik. Uncomment if you like.
	; Note that you may have to add capabilities required by any plugins in use.
	CapabilityBoundingSet=CAP_NET_BIND_SERVICE
	AmbientCapabilities=CAP_NET_BIND_SERVICE
	NoNewPrivileges=true

	[Install]
	WantedBy=multi-user.target
	# Don't send external data
	global:
	checkNewVersion: false
	sendAnonymousUsage: false

	# Enable Traefik API at entrypoint 8080
	api:
	insecure: true
	dashboard: true
	# Debug api for profilng
	debug: true

	# Log level, debug to have explicit logs
	log:
	level: debug

	# File to get acces log
	accessLog:
	filePath: /var/log/traefik/access.log

	# Tell Traefik where to find services
	providers:
	file:
	watch: false
	filename: /etc/traefik/provider.yml

	# Define which ports Traefik should be listening to
	entryPoints:
	web:
	address: ":80"
	web-secure:
	address: ":443"
	websocket-mopidy:
	address: ":6680"
	proxyProtocol:
	insecure: true
	websocket-snapcast:
	address: ":1780"
	proxyProtocol:
	insecure: true

	# Encryption method
	tls:
	options:
	foo:
	minVersion: VersionTLS12
	cipherSuites:
	- TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
	- TLS_RSA_WITH_AES_256_GCM_SHA384